Setting up a FreeBSD Server on Hetzner, Part 1: Base Install and ssh

This blog post covers the procedure to configure a FreeBSD virtual machine located in a Hetzner (a German ISP) datacenter:

install a baseline of packages (git sudo bash vim rsync)

place /etc under revision control (git)

create a non-root user

lock down ssh (keys only)

This blog post does not cover the initial FreeBSD installation; that’s covered quite adequately here: http://wiki.hetzner.de/index.php/FreeBSD_installieren/en (except for the IPv6 portion, which didn’t appear to work properly, so I configured the IPv6 differently (see below for details)).

Hetzner is a cost-effective alternative to Amazon AWS. In addition, it offers native IPv6, which Amazon only offers on its ELBs (Elastic Load Balancers).

Let’s talk about the .gitignore entries: these are for security purposes because I plan to publish /etc to a public github repo. The first two entries (master.passwd and spwd.db) contain hashed passwords, which are vulnerable to dictionary attacks. Even though further down we will eliminate the use of passwords to connect via ssh, you don’t want hackers to know your account/password combination.

The remaining .gitignore entries are related to ssh keys. IMHO, the security risk medium-to-low. Admittedly, knowing the keys will allow a hacker to decrypt ssh traffic between the FreeBSD server and your machine, but only if he has the ability to snoop the packets (e.g. only if he has compromised, say, the Cisco switch to which your workstation is connected to).

Now let’s log in as the new user and set the IPv6 address based on the information in the IPs tab of the Hetzner web interface. Note that we set the ::2 address of our /64 to be our server’s IP address, and the ::1 address to be our default route.

Publish my /etc/ repo to a public repo on github. If you decide to publish to a github repo, use a private repo (unless you are confident that nothing you publish will compromise the security of your server):

I'm a systems administrator at Pivotal Labs. I've worked at a slew of startups and with a slew of UNIXes (OS X, Linux, FreeBSD, OpenBSD, HP-UX, AIX, Solaris/SunOS UTS, Xenix, Ultrix, and even the original UNIX). In my spare time I play rugby.